Some Illegal Movie Downloads May Contain Trojan Threat

If you use torrent software to download advance copies of movies or your favorite TV shows, your machine could be part of a large and sprawling botnet called Sathurbot.

The hackers behind the botnet upload infected torrent files that contain a small executable described as being a video codec you need in order to play the movie file. It’s actually malware, and if you run the executable, it will install the Sathurbot.dll file on your machine, which will make it part of their network.

Once it’s installed, the file can auto-update to receive additional instructions from the hackers controlling it.

Right now, the botnet is focused on growth, so all of their slaved machines have been tasked with targeting small blogs – mostly WordPress, but the hackers aren’t picky. Infected machines will attempt to log in as the site admin and infect the site, which, in turn, can serve as a springboard to infect any of the site’s users or visitors, thus expanding their network.

Interestingly, each computer that’s part of their botnet only makes one attempt to log into each website before passing the baton to another infected computer. This is to prevent that computer’s IP address from being blacklisted, and preserving its ability to try again later on.

While the botnet is currently focused on growth, once its numbers hit whatever threshold the hackers have in mind, it could easily be rented out to other interested parties and used to conduct DDOS attacks against specified targets. It could also be used as a launchpad to infect a specific network, initiate phishing attacks and the like. The possibilities are virtually endless.

The bottom line is that if you watch pirated movies or have a WordPress website, it’s possible that you’ve been infected. Run a search of your PC and look for the presence of Sathurbot.dll. If it’s on your system, you’re unwittingly part of the botnet.

If you maintain a website, look at your directory structure to see if there are any new folders you don’t recognize. If so, your best bet is to delete them and restore your site from your most recent non-infected backup.